There are 4 stages of Splunking -
1. Inputs - data is gathered from sources (files, network, servers, applications etc)
2. Parsing - data is analyzed, broken into events, metadata (such as timestamp, source type etc) is assigned, and (optional) raw data can be filtered or modified
3. Indexing - the data is written to permanent storage in Splunk
4. Searching - searches are run on the data stored in Splunk
Whatever volume of data is written to disk in stage 3, you should purchase that much license.
... View more